Hewlett-Packard shipping malware-infected compact flash cards

Earlier this week, HP’s Software Security Response Team issued a security bulletin, alerting users that certain HP ProCurve 5400 zl switches were shipped with malware installed on the associated compact flash cards. No details were given about the type of malware shipped to unaware customers.

More details on the affected switches, including their serial numbers:

A potential security vulnerability has been identified with certain HP ProCurve 5400 zl switches containing compact flash cards which may be infected with a virus. Reuse of an infected compact flash card in a personal computer could result in a compromise of that system’s integrity.

Affected switches and their associated serial numbers are as follows:

J9532A 5412zl-92GG-PoE+ / 2XG SFP+ v2 Switch

J9533A 5406zl-44G-PoE+ / 2XG SFP+ v2 Switch

J9539A 5406zl-44G-PoE+ / 4G SFP v2 Switch

J9540A 5412zl-92G-PoE+ / 4G SFP v2 Switch

J9642A HP E5406 zl Switch with Premium Software

J9643A HP E5412 zl Switch with Premium Software

J8697A HP E5406 zl Switch Chassis

J8698A HP E5412 zl Switch Chassis

J8699A – HP 5406-48G zl Switch

J8700A – HP 5412-96G zl Switch

J9447A – HP 5406-44G-PoE+-4SFP zl Switch

J9448A – HP 5412-92G-PoE+-4SFP zl Switch

J8726A Management Module in the 5400 series zl switch with the following serial numbers: ID116AS04P through ID116AS0HR; ID117AS00H through ID126AS0FB

Serial numbers of the affected HP switches:

ID030AS0MZ

ID034AS0QP

ID049AS0D4

ID051AS074

ID104AS06S

ID110AS0B6

ID113AS0HH

ID113AS0K2

ID113AS0KM

ID114AS00V

ID114AS02F

ID114AS03D

ID114AS08N

ID114AS0C8

ID115AS08P

ID115AS097

ID115AS0BL

HP isn’t the first company to ship Certified Pre-Owned (CPO) hardware. Moreover, in 2008, the company once again shipped hardware with malicious software — W32.Fakerecy and W32.SillyFDC — on it, this time it was infected 256K / 1GB USB Drives.

These incidents are the result of a flawed quality assurance process, allowing cybercriminals an even deeper penetration in a company’s supply chain.

End and corporate users are advised to check whether their HP switch is malware-infected, and to follow the steps presented in the security bulletin in order to mitigate the risk posed by the infected compact flash cards.